drm/omap: Take a fb reference in omap_plane_update()
authorArchit Taneja <archit@ti.com>
Tue, 9 Apr 2013 12:26:00 +0000 (15:26 +0300)
committerArchit Taneja <archit@ti.com>
Thu, 30 May 2013 15:39:26 +0000 (21:09 +0530)
When userspace calls SET_PLANE ioctl, drm core takes a reference of the fb and
passes control to the update_plane op defined by the drm driver.

In omapdrm, we have a worker thread which queues framebuffers objects received
from update_plane and displays them at the appropriate time.

It is possible that the framebuffer is destoryed by userspace between the time
of calling the ioctl and apply-worker being scheduled. If this happens, the
apply-worker holds a pointer to a framebuffer which is already destroyed.

Take an extra refernece/unreference of the fb in omap_plane_update() to prevent
this from happening. A reference is taken of the fb passed to update_plane(),
the previous framebuffer (held by plane->fb) is unreferenced. This will prevent
drm from destroying the framebuffer till the time it's unreferenced by the

This is in addition to the exisitng reference/unreference in update_pin(),
which is taken for the scanout of the plane's current framebuffer, and an
unreference the previous framebuffer.

Signed-off-by: Archit Taneja <archit@ti.com>
Reviewed-by: Rob Clark <robdclark@gmail.com>
Signed-off-by: Tomi Valkeinen <tomi.valkeinen@ti.com>

index dd68d14ce61588c1c0ca3f4f4f227a7bf9a06ba4..b9a94907f78596a6de268c4a4cb804191322fbf3 100644 (file)
@@ -247,6 +247,12 @@ static int omap_plane_update(struct drm_plane *plane,
        struct omap_plane *omap_plane = to_omap_plane(plane);
        omap_plane->enabled = true;
+       if (plane->fb)
+               drm_framebuffer_unreference(plane->fb);
+       drm_framebuffer_reference(fb);
        return omap_plane_mode_set(plane, crtc, fb,
                        crtc_x, crtc_y, crtc_w, crtc_h,
                        src_x, src_y, src_w, src_h,